Don't Trust, Verify: My Official GPG Key Is Here

Hi everyone,

I’ve published my official GPG public key for verifying all of my signed software releases. You can download it RIGHT HERE.

Why verify?

  • Authenticity: Ensures that the software you download actually came from me.
  • Integrity: Guards against tampering or corruption during download.

How to import and use the key

  1. Import the key:
curl -sL https://example.com/.well-known/myapp-devkey.pub.asc | gpg --import
  1. Verify a signature:
gpg --verify paulscode.asc raspiblitz-...img.gz
  1. Trust the key: (optional)
gpg --edit-key D5616558A7068A973E3F3CC2766662BB2575C083
> trust
> 5 (ultimate)
> quit

For those who are less comfortable around a terminal, I recommend using Sparrow:

  1. Tools > Verify Download
  2. For “Release File”, select the application file (e.g. raspiblitz-…img.gz)
  3. For “Signature”, select the .sig file (e.g. raspiblitz-…img.gz.sig)
  4. For “Public Key”, select the .asc public key mentioned above (paulscode.asc)

If it checks out, you should see everything checked:

✓ Signed By:    Paul Lamb (https://paulscode.com) <paul@paulscode.com>
✓ Release Hash: <matches signature> or "no hash required, signature signs release directly"
✓ Verified:     Ready to install raspiblitz-…img.gz
1 Like